192 |
- |
1 |
# Fail2Ban configuration file
|
|
|
2 |
#
|
|
|
3 |
# Enable "log-auth-failures" on each Sofia profile to monitor
|
|
|
4 |
# <param name="log-auth-failures" value="true"/>
|
|
|
5 |
# -- this requires a high enough loglevel on your logs to save these messages.
|
|
|
6 |
#
|
|
|
7 |
# In the fail2ban jail.local file for this filter set ignoreip to the internal
|
|
|
8 |
# IP addresses on your LAN.
|
|
|
9 |
#
|
|
|
10 |
|
|
|
11 |
[INCLUDES]
|
|
|
12 |
|
|
|
13 |
# Read common prefixes. If any customizations available -- read them from
|
|
|
14 |
# common.local
|
|
|
15 |
before = common.conf
|
|
|
16 |
|
|
|
17 |
[Definition]
|
|
|
18 |
|
|
|
19 |
_daemon = freeswitch
|
|
|
20 |
|
|
|
21 |
# Parameter "mode": normal, ddos or extra (default, combines all)
|
|
|
22 |
# Usage example (for jail.local):
|
|
|
23 |
# [freeswitch]
|
|
|
24 |
# mode = normal
|
|
|
25 |
# # or with rewrite filter parameters of jail:
|
|
|
26 |
# [freeswitch-ddos]
|
|
|
27 |
# filter = freeswitch[mode=ddos]
|
|
|
28 |
#
|
|
|
29 |
mode = extra
|
|
|
30 |
|
|
|
31 |
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
|
|
|
32 |
_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
|
|
|
33 |
|
|
|
34 |
prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
|
|
|
35 |
|
|
|
36 |
cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
|
|
|
37 |
|
|
|
38 |
mdre-normal = %(cmnfailre)s
|
|
|
39 |
^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
|
|
40 |
|
|
|
41 |
mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
|
|
42 |
|
|
|
43 |
mdre-extra = %(cmnfailre)s
|
|
|
44 |
<mdre-ddos>
|
|
|
45 |
|
|
|
46 |
failregex = <mdre-<mode>>
|
|
|
47 |
|
|
|
48 |
ignoreregex =
|
|
|
49 |
|
|
|
50 |
datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
|
|
|
51 |
{^LN-BEG}
|
|
|
52 |
|
|
|
53 |
# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
|
|
|
54 |
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
|
|
|
55 |
# Thanks to Jim on mailing list of samples and guidance
|
|
|
56 |
#
|
|
|
57 |
# No need to match the following. Its a duplicate of the SIP auth regex.
|
|
|
58 |
# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
|